That would be motivation enough for me to install Cyanogenmod. The latest version has options that not only actually enforce the proper security controls, they actually let you revoke permissions from apps that supposedly require them. I don't think that 'use your camera LED as a flashlight' app actually needs SD card access, but without Cyanogenmod your only choice is use the app or don't.

I was never a fan of the Sense interface anyways. It seems like everybody hates the manufacturer-specific Android skins. Here's an even better reason not to use them.

Like one commenter said, many custom ROM's actually increase the security of the device by allowing permission revokation & other restrictions. Custom ROM's with Superuser access also allow the installation of 3rd party security-oriented apps.

The article was looking at Sprint only; it is quite possible that other carriers pushed a similar OTA update that produces the same exposure. I'm running CM7, but my wife still uses HTC Sense. I've sent her a link; perhaps this will finally get her to make the jump.

So HTC have an app that records your email passwords... and uses TCP local loopback (at least its not public! Or is it?) to make it available (rather than the proper Android services mechanism complete with process policing).